Add credential library resource for Vault (#114)

* Integrate with Vault to retrieve and manage per session credentials

Co-authored-by: Louis Ruch <louisruch@gmail.com>

docs/resources/credential_library_vault.md

@@ -0,0 +1,86 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "boundary_credential_library_vault Resource - terraform-provider-boundary"
+subcategory: ""
+description: |-
+  The credential library for Vault resource allows you to configure a Boundary credential library for Vault.
+---
+
+# boundary_credential_library_vault (Resource)
+
+The credential library for Vault resource allows you to configure a Boundary credential library for Vault.
+
+## Example Usage
+
+```terraform
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "foo" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "127.0.0.1"
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5"
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "foo"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path          = "my/secret/foo"
+  http_method         = "GET"
+}
+
+resource "boundary_credential_library_vault" "bar" {
+  name                = "bar"
+  description         = "My second Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path          = "my/secret/bar"
+  http_method         = "POST"
+  request_body        = <<EOT
+{
+  "key": "Value",
+}
+EOT
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **credential_store_id** (String) The ID of the credential store that this library belongs to.
+- **path** (String) The Vault path to query
+
+### Optional
+
+- **description** (String) The Vault credential library description.
+- **http_method** (String) The HTTP method to use when contacting Vault
+- **http_request_body** (String) The raw string to use in HTTP request to Vault
+- **name** (String) The Vault credential library name. Defaults to the resource name.
+
+### Read-Only
+
+- **id** (String) The ID of the Vault credential library.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import boundary_credential_library_vault.foo <my-id>
+```

docs/resources/credential_store_vault.md

@@ -0,0 +1,72 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "boundary_credential_store_vault Resource - terraform-provider-boundary"
+subcategory: ""
+description: |-
+  The credential store for Vault resource allows you to configure a Boundary credential store for Vault.
+---
+
+# boundary_credential_store_vault (Resource)
+
+The credential store for Vault resource allows you to configure a Boundary credential store for Vault.
+
+## Example Usage
+
+```terraform
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "example" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "127.0.0.1"
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5"
+  scope_id    = boundary_scope.project.id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **address** (String) The address to Vault server
+- **scope_id** (String) The scope for this credential store
+- **token** (String, Sensitive) The Vault token
+
+### Optional
+
+- **ca_cert** (String) The Vault CA certificate to use
+- **client_certificate** (String) The Vault client certificate
+- **client_certificate_key** (String, Sensitive) The Vault client certificate key
+- **description** (String) The Vault credential store description.
+- **name** (String) The Vault credential store name. Defaults to the resource name.
+- **namespace** (String) The namespace within Vault to use
+- **tls_server_name** (String) The Vault TLS server name
+- **tls_skip_verify** (Boolean) Whether or not to skip TLS verification
+
+### Read-Only
+
+- **client_certificate_key_hmac** (String) The Vault client certificate key hmac
+- **id** (String) The ID of the Vault credential store.
+- **token_hmac** (String) The Vault token hmac
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import boundary_credential_store_vault.foo <my-id>
+```

docs/resources/target.md

@@ -33,6 +33,22 @@ resource "boundary_scope" "project" {
   auto_create_admin_role = true
 }
 
+resource "boundary_credential_store_vault" "foo" {
+  name        = "vault_store"
+  description = "My first Vault credential store!"
+  address     = "http://localhost:55001"
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5"
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "vault_library"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path          = "database/creds/opened"
+  http_method         = "GET"
+}
+
 resource "boundary_host_catalog" "foo" {
   name        = "test"
   description = "test catalog"
@@ -72,6 +88,9 @@ resource "boundary_target" "foo" {
   host_set_ids = [
     boundary_host_set.foo.id
   ]
+  credential_library_ids = [
+    boundary_credential_library_vault.foo.id
+  ]
 }
 ```
 
@@ -85,6 +104,7 @@ resource "boundary_target" "foo" {
 
 ### Optional
 
+- **credential_library_ids** (Set of String) A list of credential library ID's.
 - **default_port** (Number) The default port for this target.
 - **description** (String) The target description.
 - **host_set_ids** (Set of String) A list of host set ID's.

examples/resources/boundary_credential_library_vault/import.sh

@@ -0,0 +1 @@
+terraform import boundary_credential_library_vault.foo <my-id>

examples/resources/boundary_credential_library_vault/resource.tf

@@ -0,0 +1,43 @@
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "foo" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "127.0.0.1"
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5"
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "foo"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path          = "my/secret/foo"
+  http_method         = "GET"
+}
+
+resource "boundary_credential_library_vault" "bar" {
+  name                = "bar"
+  description         = "My second Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path          = "my/secret/bar"
+  http_method         = "POST"
+  request_body        = <<EOT
+{
+  "key": "Value",
+}
+EOT
+}

examples/resources/boundary_credential_store_vault/import.sh

@@ -0,0 +1 @@
+terraform import boundary_credential_store_vault.foo <my-id>

examples/resources/boundary_credential_store_vault/resource.tf

@@ -0,0 +1,22 @@
+resource "boundary_scope" "org" {
+  name                     = "organization_one"
+  description              = "My first scope!"
+  scope_id                 = "global"
+  auto_create_admin_role   = true
+  auto_create_default_role = true
+}
+
+resource "boundary_scope" "project" {
+  name                   = "project_one"
+  description            = "My first scope!"
+  scope_id               = boundary_scope.org.id
+  auto_create_admin_role = true
+}
+
+resource "boundary_credential_store_vault" "example" {
+  name        = "foo"
+  description = "My first Vault credential store!"
+  address     = "127.0.0.1"
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5"
+  scope_id    = boundary_scope.project.id
+}

examples/resources/boundary_target/resource.tf

@@ -18,6 +18,22 @@ resource "boundary_scope" "project" {
   auto_create_admin_role = true
 }
 
+resource "boundary_credential_store_vault" "foo" {
+  name        = "vault_store"
+  description = "My first Vault credential store!"
+  address     = "http://localhost:55001"
+  token       = "s.0ufRo6XEGU2jOqnIr7OlFYP5"
+  scope_id    = boundary_scope.project.id
+}
+
+resource "boundary_credential_library_vault" "foo" {
+  name                = "vault_library"
+  description         = "My first Vault credential library!"
+  credential_store_id = boundary_credential_store_vault.foo.id
+  path          = "database/creds/opened"
+  http_method         = "GET"
+}
+
 resource "boundary_host_catalog" "foo" {
   name        = "test"
   description = "test catalog"
@@ -57,4 +73,7 @@ resource "boundary_target" "foo" {
   host_set_ids = [
     boundary_host_set.foo.id
   ]
+  credential_library_ids = [
+    boundary_credential_library_vault.foo.id
+  ]
 }

go.mod

@@ -13,17 +13,15 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.545 // indirect
 	github.com/aws/aws-sdk-go v1.35.4 // indirect
-	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/circonus-labs/circonusllhist v0.1.4 // indirect
 	github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe // indirect
-	github.com/coreos/go-oidc v2.2.1+incompatible // indirect
 	github.com/golang/snappy v0.0.2 // indirect
-	github.com/hashicorp/boundary v0.2.2
-	github.com/hashicorp/boundary/api v0.0.10
-	github.com/hashicorp/boundary/sdk v0.0.4
-	github.com/hashicorp/cap v0.0.0-20210518163718-e72205e8eaae
+	github.com/hashicorp/boundary v0.3.1-0.20210623022626-df35699c4ef2
+	github.com/hashicorp/boundary/api v0.0.12-0.20210623022626-df35699c4ef2
+	github.com/hashicorp/boundary/sdk v0.0.5-0.20210623022626-df35699c4ef2
+	github.com/hashicorp/cap v0.1.0
 	github.com/hashicorp/go-immutable-radix v1.3.0 // indirect
-	github.com/hashicorp/go-kms-wrapping v0.6.1
+	github.com/hashicorp/go-kms-wrapping v0.6.2
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl/v2 v2.6.0 // indirect
 	github.com/hashicorp/terraform-plugin-docs v0.4.0
@@ -33,11 +31,10 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/oracle/oci-go-sdk v24.3.0+incompatible // indirect
-	github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect
 	github.com/prometheus/common v0.14.0 // indirect
 	github.com/prometheus/procfs v0.2.0 // indirect
 	github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c // indirect
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )